Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
1 result
Blame Permalink
README.md 3.17 KiB

sp_nuclei_test

nuclei templates for testing SAML service providers.

Requirements

nuclei

You can run nuclei in multiple ways. The most common ones are directly on your machine (using go) or inside a docker container.

go

Install newest version of Go. The version included in your Linux distribution might not be current enough.

Then install nuclei.

You will run nuclei simply by calling nuclei (see below).

docker

Install docker and make sure that you can call docker in your terminal.

You will run nuclei by executing:

docker run --rm -v ./:/app/ projectdiscovery/nuclei # ...

conformance IdP

You need to setup a conformance IdP, with a module developed for SAML signature validation testing.

Then you need to connect SPs to the conformance IdP (exchange metadata), so that regular SAML authentication works.

Usage

Raw HTTP test (fast, no screenshots)

Make a copy of secret-file.example.yaml to secret-file.yaml and put in your authorization token for the conformance IdP.

Run against one target:

nuclei -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -secret-file secret-file.yaml \
    -duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags raw

or using docker:

docker run --rm -v ./:/app/ projectdiscovery/nuclei -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -secret-file secret-file.yaml \
    -duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags raw

where

  • ACS_URL_HERE is the assertion consumer service endpoint URL
  • ENTITY_ID_HERE is the entity ID of the SP

It is expected that the SP will return HTTP code 200/302/303 on success and a different HTTP code on failure (e.g. when SAML response is not signed).

Headless browser test (slower, with screenshots)

Run against one target:

nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" -V "BEARER_TOKEN=BEARER_TOKEN_HERE" \
    -duc -ms -t nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags headless

or using docker:

docker run --rm -v ./:/app/ projectdiscovery/nuclei --headless -u ACS_URL_HERE -V "SP_ENTITY_ID=ENTITY_ID_HERE" \
    -V "BEARER_TOKEN=BEARER_TOKEN_HERE" -V "SCREENSHOTS_DIR=/app/" \
    -duc -ms -t /app/nuclei-templates/ -nmhe -lna -dka 30 -dt 30 -tags headless

where

  • ACS_URL_HERE is the assertion consumer service endpoint URL
  • ENTITY_ID_HERE is the entity ID of the SP
  • BEARER_TOKEN_HERE is your authorization token for the conformance IdP

Current limitations

  • templates are only usable with the conformace IdP
    • testing cannot be run in parallel for the same entity ID
  • only HTTP-POST binding is currently supported
  • nuclei has to be invoked individually for each target (for each entity ID)
  • only SPs which accept unsolicited logins (IdP-initiated) can be tested
  • headless browser test behaves differently than raw HTTP test (nuclei limitation)